From: Stroller <stroller@stellar.eclipse.co.uk>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Copying a file via ssh with no password, keeping the system safe
Date: Thu, 7 Oct 2010 18:36:28 +0100 [thread overview]
Message-ID: <9CCC708A-F24E-496C-BD59-242170F1182E@stellar.eclipse.co.uk> (raw)
In-Reply-To: <20101007184549.65756vlexbx2u7sw@momessonet.ath.cx>
On 7 Oct 2010, at 17:45, Momesso Andrea wrote:
> I need to set up a cron job to transfer a file every day from server A to server B.
>
> I'd like to do that via ssh and with no user assistance, completely automated.
>
> Setting up a public key, would do the job, but then, all the connections between the servers would be passwordless, so if server A gets compromised, also server B is screwed.
>
> Is there a way to allow only one single command from a single cronjob to operate passwordless, while keeping all the other connections secured by a password?
You could create a user on server B called backup, a user with very limited permissions and no shell (/bin/false). Thus server A can transfer files to serverb:~backup but if the key is compromised then little else can be done.
Not sure if the user could somehow be run in a chrooted ssh, for better security? I'm not sure what files a new user "backup" would have read-access to by default? If the key is obtained from server A then the attacker could copy files from server B (back to wherever they like), and it might be possible to obtain information about what services are run on that system or otherwise learn vulnerabilities from what could be read.
Stroller.
next prev parent reply other threads:[~2010-10-07 18:06 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-07 16:45 [gentoo-user] Copying a file via ssh with no password, keeping the system safe Momesso Andrea
2010-10-07 17:36 ` Stroller [this message]
2010-10-07 18:14 ` Willie Wong
2010-10-07 18:26 ` Willie Wong
2010-10-07 18:40 ` Andrea Conti
2010-10-07 21:59 ` Momesso Andrea
2010-10-07 22:21 ` covici
2010-10-07 22:38 ` BRM
2010-10-08 8:53 ` Neil Bothwick
2010-10-07 22:28 ` Willie Wong
2010-10-08 8:05 ` Andrea Conti
2010-10-08 10:18 ` Willie Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9CCC708A-F24E-496C-BD59-242170F1182E@stellar.eclipse.co.uk \
--to=stroller@stellar.eclipse.co.uk \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox